If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Question on shellcode creation (idea for a MSF payload)

## Note to moderators: I know this is likely the wrong forum for this, but I guess maybe someone here can help so I posted it

So I was interested in creating a stealthy payload for Metasploit, and was looking up shellcode creation when I stumbled upon an interesting snippet in a book I was reading (Grey Hat Hacking, The Ethical Hackers Handbook, 3rd Edition). here is the snippet, copypasta-ed from the book itself (I have it as an e-book).

"There are basically three ways to write shellcode:
• Directly write the hex opcodes.
• Write a program in a high-level language like C, compile it, and then
disassemble it to obtain the assembly instructions and hex opcodes.
• Write an assembly program, assemble the program, and then extract the hex
opcodes from the binary."

Now this got me thinking about something interesting - how the payload (shellcode) could in fact also be a device of privilage escalation - similar to, say, the Meterpreter shell.

I wrote, ages back, a simple HTTP trojan in mASM that simply checked a web-page for commands and executed them via the standard system shell in Windows (cmd.exe) out of sheer boredom. It did the standard stuff - created reg keys for persistence, checked a web app every half hour for updates to its command set, etc.

Now what got me interested was that above passage. I am not a master of assembly or disassembly, and have a lot to learn about exploit development, but I was interested in finding out if I could compile a evil.exe, then open in a hex editor... and bam - shellcode?

Seems implausable to me, so I would love an explaination as to how it works. Could be interesting I think, and then I can go on to maybe writing new shellcode generation utilities or something. Not sure yet, just thinking...

I hope someone can help

Regards,
Darren.

P.S. I noted when experimenting with the Poison Ivy malware, that you can choose to output as a shellcode array. IIRC, PI is written in ASM... Is that how it is working? My HTTP backdoor currently is smaller than PI, so perhaps may make better shellcode... Or something... not certain!